Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N
Lifecycle Timeline
2DescriptionCVE.org
The hk_shortcode plugin for WordPress is vulnerable to Stored Cross-Site Scripting via the 'title-plane' shortcode in versions up to, and including, 1.0. This is due to insufficient input sanitization and output escaping on user-supplied shortcode attributes in the huankong_post_short_title_plane() function, where the 'title' attribute is concatenated directly into HTML output without any escaping. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page.
AnalysisAI
Stored Cross-Site Scripting in the hk_shortcode WordPress plugin (versions ≤1.0) enables authenticated contributors to inject persistent malicious scripts via the unsanitized 'title' attribute of the 'title-plane' shortcode. The vulnerability stems from direct HTML concatenation of unescaped user input inside the huankong_post_short_title_plane() function - once a crafted post is saved, the payload executes in the browsers of all users who visit the affected page, crossing into their sessions (CVSS S:C). No public exploit code has been identified at time of analysis, and with an EPSS of 0.03% (9th percentile), mass automated exploitation is unlikely; however, multi-author WordPress sites with open contributor registration carry meaningful exposure.
Technical ContextAI
The vulnerability resides in function/shortcode.php (lines 6 and 8) of the hk_shortcode WordPress plugin v1.0, accessible in the WordPress Plugin Repository under the 1.0 tag. CWE-79 (Improper Neutralization of Input During Web Page Generation - Cross-site Scripting) describes the root cause: user-controlled data from the shortcode 'title' attribute is concatenated directly into the HTML output of huankong_post_short_title_plain() without sanitization via wp_kses, esc_html, or equivalent WordPress escaping APIs. WordPress processes shortcodes server-side during page rendering; contributor-level users have sufficient permissions to embed shortcodes in posts and pages through the standard content editor. The CVSS vector (AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:L/A:N) indicates the injection is network-reachable, requires low attack complexity, demands only low privileges, and achieves a changed scope - meaning the injected scripts operate in the security context of visiting users rather than the attacker's own session. No CPE string was supplied in source data; affected product is identified by plugin slug 'hk-shortcode' and version range 0 through 1.0 per EUVD-2026-32091.
RemediationAI
No vendor-released patched version has been identified at time of analysis - available references link only to the 1.0 source code and the Wordfence advisory without citing a fixed release; administrators should verify current plugin status directly in the WordPress Plugin Repository before assuming no update exists. The primary recommended action is to deactivate and remove the hk_shortcode plugin until a patched version is confirmed available, as the vulnerable code path (direct HTML concatenation) cannot be mitigated at the site configuration level without removing the plugin. As a compensating control where plugin removal is not immediately feasible, restrict contributor-level role assignments to strictly vetted, trusted users - since exploitation requires at minimum contributor access, eliminating untrusted contributor accounts closes the attack vector. Additionally, deploying a WAF with a stored XSS ruleset (Wordfence's own firewall may include a rule for this CVE - confirm at the advisory URL above) can provide partial coverage, though WAF rules carry bypass risk and should be treated as a temporary measure only. Note that WordPress's built-in content filtering does not sanitize shortcode attributes by default, so no core WordPress setting alone mitigates this issue.
The isMail transport in PHPMailer before 5.2.20 might allow remote attackers to pass extra parameters to the mail comman
The Backup Migration plugin for WordPress is vulnerable to Remote Code Execution in all versions up to, and including, 1
The Hash Form - Drag & Drop Form Builder plugin for WordPress is vulnerable to arbitrary file uploads due to missing fil
The GiveWP - Donation Plugin and Fundraising Platform plugin for WordPress is vulnerable to PHP Object Injection in all
The Simple File List plugin for WordPress through version 4.2.2 contains an unauthenticated remote code execution vulner
The AI Engine WordPress plugin through version 3.1.3 exposes Bearer Token values through the /mcp/v1/ REST API endpoint
The Ninja Forms plugin before 2.9.42.1 for WordPress allows remote attackers to conduct PHP object injection attacks via
The Business Directory Plugin - Easy Listing Directories for WordPress plugin for WordPress is vulnerable to time-based
SQL injection in the NotificationX WordPress plugin (versions up to and including 2.8.2) allows unauthenticated remote a
The POST SMTP Mailer - Email log, Delivery Failure Notifications and Best Mail SMTP for WordPress plugin for WordPress i
The MasterStudy LMS WordPress Plugin - for Online Courses and Education plugin for WordPress is vulnerable to union base
The Country State City Dropdown CF7 plugin for WordPress is vulnerable to SQL Injection via the ‘cnt’ and 'sid' paramete
Same weakness CWE-79 – Cross-site Scripting (XSS)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-32091
GHSA-r95h-x8fx-8ph9